@cloudbase/oauth 0.1.1-alpha → 0.1.1-alpha.2

package/src/oauthclient/index.ts

@@ -0,0 +1,33 @@
+import {App} from "../app";
+import {_getComponent} from "../app/internal";
+import {OAuth2Client} from "./oauthclient";
+import {Credentials as credentials, ResponseError as responseError} from './models';
+import {AuthClient as authClient, RequestFn as requestFn} from "./interface";
+export {ErrorType} from './consts';
+
+export interface InitOptions {
+    request?: RequestFn;
+    retry?: number;
+    refreshTokenFunc?: (refreshToken?: string) => Promise<Credentials>;
+    tokenInURL?: boolean;
+    headers?: { [key: string]: string };
+}
+
+export function getOAuthClient(app: App, opts?: InitOptions): authClient {
+    return _getComponent<authClient>(app, "oauthclient", (): authClient => {
+        const appOpts = app.options
+        const oauthOpts = {
+            clientId: appOpts.clientId,
+            clientSecret: appOpts.clientSecret,
+            request: appOpts.request,
+            storage: appOpts.storage,
+        }
+        return (new OAuth2Client(oauthOpts))
+    });
+}
+
+
+export type Credentials = credentials
+export type AuthClient = authClient
+export type RequestFn = requestFn
+export type ResponseError = responseError

package/src/oauthclient/interface.ts

@@ -0,0 +1,34 @@
+import {Credentials, AuthClientRequestOptions} from './models';
+
+/**
+ * the interface for the Oauth2Client
+ */
+export abstract class AuthClient {
+    /**
+     * Sets the auth credentials.
+     */
+    abstract setCredentials(credentials?: Credentials): void;
+
+    /**
+     * Provides an alternative fetch api request implementation with auth credentials
+     * if options.withCredentials:true, the request will auto add Authorization: Bearer <AccessToken> in the request
+     * error:
+     *     - unreachable, the network error or response is not json
+     *     - unauthenticated: has no validate access token
+     */
+    abstract request: RequestFn;
+
+    /**
+     * get the current accessToken from AuthClient, you can use this to detect login status
+     * error:
+     *    -  unauthenticated: has no validate access token
+     */
+    abstract getAccessToken(): Promise<string>;
+
+    /**
+     * get the current token scope
+     */
+    abstract getScope(): Promise<string>;
+}
+
+export type RequestFn = <T>(url: string, options?: AuthClientRequestOptions) => Promise<T>;

package/src/oauthclient/models.ts

@@ -0,0 +1,50 @@
+import {RequestFn, RequestOptions, Storage} from "../app";
+import {ErrorType} from './consts';
+
+// Credentials
+export interface Credentials {
+    token_type?: string;
+    access_token?: string;
+    refresh_token?: string;
+    scope?: string;
+    expires_in?: number;
+    expires_at?: Date;
+    sub?: string;
+}
+
+// An Error For all concern
+export interface ResponseError {
+    error: ErrorType;
+    error_description?: string;
+    error_uri?: string;
+    details?: any;
+    request_id?: string;
+}
+
+// refer https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Authentication
+export interface AuthClientRequestOptions extends RequestOptions {
+    headers?: {
+        'x-request-id'?: string;
+        [key: string]: any;
+    };
+    // Bearer https://datatracker.ietf.org/doc/html/rfc6750
+    withCredentials?: boolean;
+    // Basic https://datatracker.ietf.org/doc/html/rfc7617
+    withBasicAuth?: boolean;
+    retry?: number;
+
+    [key: string]: any;
+}
+
+export interface OAuth2ClientOptions {
+    clientId: string;  // Storage, default is localStorage, setItem(k, v), getItem(k),removeItem(k)
+    storage: Storage;
+    request: RequestFn;
+    clientSecret?: string;
+    // default value is 1,min value is 0, max value is 5
+    retry?: number;
+    refreshTokenFunc?: (refreshToken?: string) => Promise<Credentials>;
+    // set the token in url query instead of header
+    tokenInURL?: boolean;
+    headers?: { [key: string]: string };
+}

package/src/oauthclient/oauthclient.ts

@@ -0,0 +1,487 @@
+import {ErrorType} from './consts';
+
+import {AuthClient} from './interface';
+import {RequestFn, Storage} from "../app";
+
+import {
+    Credentials,
+    ResponseError,
+    OAuth2ClientOptions,
+    AuthClientRequestOptions,
+} from './models';
+
+import {uuidv4} from '../utils/uuid';
+
+import {PromiseOnce} from '../utils/promise';
+
+const RequestIdHeaderName = 'x-request-id';
+const DeviceIdHeaderName = 'x-device-id';
+const DeviceIdSectionName = 'device_';
+
+export interface ToResponseErrorOptions {
+    error?: ErrorType;
+    error_description?: string;
+    error_uri?: string;
+    details?: any;
+}
+
+
+export const toResponseError = (
+    error: ResponseError | Error,
+    options?: ToResponseErrorOptions,
+): ResponseError => {
+    let responseError: ResponseError;
+    const formatOptions: ToResponseErrorOptions = options || {};
+    if (error instanceof Error) {
+        responseError = {
+            error: formatOptions.error || ErrorType.LOCAL,
+            error_description: formatOptions.error_description || error.message,
+            error_uri: formatOptions.error_uri,
+            details: formatOptions.details || error.stack,
+        };
+    } else {
+        const formatError: ToResponseErrorOptions = error || {};
+        responseError = {
+            error: formatOptions.error || formatError.error || ErrorType.LOCAL,
+            error_description:
+                formatOptions.error_description || formatError.error_description,
+            error_uri: formatOptions.error_uri || formatError.error_uri,
+            details: formatOptions.details || formatError.details,
+        };
+    }
+    return responseError;
+};
+
+/**
+ * Generate request id.
+ * @return {string}
+ */
+export function generateRequestId(): string {
+    return uuidv4();
+}
+
+
+interface LocalCredentialsOptions {
+    tokenSectionName: string;
+    storage: Storage;
+}
+
+/**
+ * Check if credentials is expired.
+ * @param {Credentials} credentials
+ * @return {boolean}
+ */
+function isCredentialsExpired(credentials: Credentials): boolean {
+    let isExpired = true;
+    if (credentials && credentials.expires_at && credentials.access_token) {
+        isExpired = credentials.expires_at < new Date();
+    }
+    return isExpired;
+}
+
+/**
+ * Local credentials.
+ * Local credentials, with memory cache and storage cache.
+ * If the memory cache expires, the storage cache is automatically loaded.
+ */
+export class LocalCredentials {
+    private _tokenSectionName: string;
+
+    private _storage: Storage;
+
+    private _credentials: Credentials = null;
+
+    private _promiseOnce: PromiseOnce = new PromiseOnce();
+
+    /**
+     * constructor
+     * @param {LocalCredentialsOptions} options
+     */
+    constructor(options: LocalCredentialsOptions) {
+        this._tokenSectionName = options.tokenSectionName;
+        this._storage = options.storage;
+    }
+
+    /**
+     * setCredentials Provides an alternative fetch api request implementation with auth credentials
+     * @param {Credentials} credentials
+     */
+    public async setCredentials(credentials?: Credentials): Promise<void> {
+        if (credentials && credentials.expires_in) {
+            credentials.expires_at = new Date(
+                Date.now() + (credentials.expires_in - 30) * 1000,
+            );
+            if (this._storage) {
+                const tokenStr: string = JSON.stringify(credentials);
+                await this._storage.setItem(this._tokenSectionName, tokenStr);
+            }
+            this._credentials = credentials;
+        } else {
+            if (this._storage) {
+                await this._storage.removeItem(this._tokenSectionName);
+            }
+            this._credentials = null;
+        }
+    }
+
+    /**
+     * Get credentials.
+     * @return {Promise<Credentials>}
+     */
+    public async getCredentials(): Promise<Credentials> {
+        return this._promiseOnce.run('getCredentials', async () => {
+            if (isCredentialsExpired(this._credentials)) {
+                this._credentials = await this._getStorageCredentials();
+            }
+            return this._credentials;
+        });
+    }
+
+    /**
+     * Get storage credentials.
+     */
+    private async _getStorageCredentials(): Promise<Credentials> {
+        return this._promiseOnce.run('_getStorageCredentials', async () => {
+            let credentials: Credentials = null;
+            const tokenStr: string = await this._storage.getItem(
+                this._tokenSectionName,
+            );
+            if (tokenStr !== undefined && tokenStr !== null) {
+                try {
+                    credentials = JSON.parse(tokenStr);
+                    if (credentials && credentials.expires_at) {
+                        credentials.expires_at = new Date(credentials.expires_at);
+                    }
+                } catch (error) {
+                    await this._storage.removeItem(this._tokenSectionName);
+                    credentials = null;
+                }
+            }
+            return credentials;
+        });
+    }
+}
+
+/**
+ * OAuth2Client
+ */
+export class OAuth2Client implements AuthClient {
+    private static _defaultRetry = 2;
+    private static _minRetry = 0;
+    private static _maxRetry = 5;
+    private static _retryInterval = 1000;
+    private _retry: number;
+    private _baseRequest: RequestFn;
+    private _basicAuth?: string;
+    private _localCredentials: LocalCredentials;
+    private _storage: Storage;
+    private _deviceID?: string;
+    private _tokenInURL?: boolean;
+    private _refreshTokenFunc: (refreshToken?: string) => Promise<Credentials>;
+    private _headers?: { [key: string]: string };
+    private _promiseOnce: PromiseOnce = new PromiseOnce();
+
+    /**
+     * constructor
+     * @param {OAuth2ClientOptions} options
+     */
+    constructor(options: OAuth2ClientOptions) {
+        this._retry = this._formatRetry(options.retry, OAuth2Client._defaultRetry);
+        this._baseRequest = options.request
+        if (!options.clientSecret) {
+            options.clientSecret = ""
+        }
+        if (options.clientId !== '') {
+            this._basicAuth = "Basic " + btoa(options.clientId + ":" + options.clientSecret);
+        }
+        this._tokenInURL = options.tokenInURL;
+        this._headers = options.headers;
+        // @ts-ignore
+        this._storage = options.storage || defaultStorage;
+        this._localCredentials = new LocalCredentials({
+            tokenSectionName: 'credentials_',
+            storage: this._storage,
+        });
+        this._refreshTokenFunc =
+            options.refreshTokenFunc || this._defaultRefreshTokenFunc;
+    }
+
+    /**
+     * setCredentials Provides an alternative fetch api request implementation with auth credentials
+     * @param {Credentials} credentials
+     * @return {Promise<void>}
+     */
+    public setCredentials(credentials?: Credentials): Promise<void> {
+        return this._localCredentials.setCredentials(credentials);
+    }
+
+    /**
+     * getAccessToken return a validate access token
+     */
+    public async getAccessToken(): Promise<string> {
+        const credentials: Credentials = await this._getCredentials();
+        if (credentials && credentials.access_token) {
+            return Promise.resolve(credentials.access_token);
+        }
+        return Promise.reject({error: ErrorType.UNAUTHENTICATED} as ResponseError);
+    }
+
+    /**
+     * getScope return a validate access token
+     */
+    public async getScope(): Promise<string> {
+        let credentials: Credentials = await this._localCredentials.getCredentials();
+        if (credentials == null) {
+            return this._unAuthenticatedError("credentials not found")
+        }
+        return credentials.scope;
+    }
+
+
+    /**
+     * request http like simple fetch api, exp:request('/v1/user/me', {withCredentials:true})
+     * @param {string} url
+     * @param {AuthClientRequestOptions} options
+     */
+    public async request<T>(
+        url: string,
+        options?: AuthClientRequestOptions,
+    ): Promise<T> {
+        if (!options) {
+            options = {};
+        }
+        const retry: number = this._formatRetry(options.retry, this._retry);
+        options.headers = options.headers || {};
+        if (this._headers) {
+            options.headers = {
+                ...this._headers,
+                ...options.headers,
+            };
+        }
+        if (!options.headers[RequestIdHeaderName]) {
+            options.headers[RequestIdHeaderName] = generateRequestId();
+        }
+        if (!options.headers[DeviceIdHeaderName]) {
+            const deviceId = await this._getDeviceId();
+            options.headers[DeviceIdHeaderName] = deviceId;
+        }
+        if (options && options.withBasicAuth && this._basicAuth) {
+            options.headers['Authorization'] = this._basicAuth
+        }
+        if (options && options.withCredentials) {
+            const credentials = await this._getCredentials();
+            if (credentials) {
+                if (this._tokenInURL) {
+                    if (url.indexOf('?') < 0) {
+                        url += '?';
+                    }
+                    url += 'access_token=' + credentials.access_token;
+                } else {
+                    options.headers['Authorization'] =
+                        credentials.token_type + ' ' + credentials.access_token;
+                }
+            }
+        }
+        let response: T;
+        const maxRequestTimes: number = retry + 1;
+        for (
+            let requestTime = 0;
+            requestTime < maxRequestTimes;
+            requestTime++
+        ) {
+            try {
+                response = await this._baseRequest<T>(url, options);
+                break;
+            } catch (responseError) {
+                if (options.withCredentials && responseError && responseError.error === ErrorType.UNAUTHENTICATED) {
+                    await this.setCredentials(null);
+                    return Promise.reject(responseError);
+                }
+                if (
+                    requestTime === retry ||
+                    !responseError ||
+                    responseError.error !== 'unreachable'
+                ) {
+                    return Promise.reject(responseError);
+                }
+            }
+            await this._sleep(OAuth2Client._retryInterval);
+        }
+        return response;
+    }
+
+    /**
+     * Check retry value.
+     * @param {number} retry
+     * @return {number}
+     */
+    private _checkRetry(retry: number): number {
+        let responseError: ResponseError = null;
+        if (
+            typeof retry !== 'number' ||
+            retry < OAuth2Client._minRetry ||
+            retry > OAuth2Client._maxRetry
+        ) {
+            responseError = {
+                error: ErrorType.UNREACHABLE,
+                error_description: 'wrong options param: retry',
+            };
+        }
+        if (responseError) {
+            throw responseError;
+        }
+        return retry;
+    }
+
+    /**
+     * Format retry value.
+     * @param {number} retry
+     * @param {number} defaultVale
+     * @return {number}
+     */
+    private _formatRetry(retry: number, defaultVale: number): number {
+        if (typeof retry === 'undefined') {
+            return defaultVale;
+        } else {
+            return this._checkRetry(retry);
+        }
+    }
+
+    /**
+     * Sleep.
+     * @param {number} ms
+     * @return {Promise<void>}
+     */
+    private async _sleep(ms: number): Promise<void> {
+        return new Promise<void>((resolve) => {
+            setTimeout(() => {
+                resolve();
+            }, ms);
+        });
+    }
+
+    /**
+     * Refresh expired token.
+     * @param {Credentials} credentials
+     * @return {Promise<Credentials>}
+     */
+    private async _refreshToken(credentials: Credentials): Promise<Credentials> {
+        return this._promiseOnce.run('_refreshToken', async () => {
+            if (!credentials || !credentials.refresh_token) {
+                return this._unAuthenticatedError('no refresh token found in credentials');
+            }
+            try {
+                const newCredentials: Credentials = await this._refreshTokenFunc(
+                    credentials.refresh_token,
+                );
+                await this._localCredentials.setCredentials(newCredentials);
+                return newCredentials
+            } catch (error) {
+                if (error.error === ErrorType.INVALID_GRANT) {
+                    await this._localCredentials.setCredentials(null);
+                    return this._unAuthenticatedError(error.error_description);
+                }
+                return Promise.reject(error);
+            }
+        });
+    }
+
+    /**
+     * anonymous signIn
+     * @param {Credentials} credentials
+     * @return {Promise<Credentials>}
+     */
+    private async _anonymousSignIn(credentials: Credentials): Promise<Credentials> {
+        return this._promiseOnce.run('_anonymous', async () => {
+            if (!credentials || credentials.scope !== 'anonymous') {
+                return this._unAuthenticatedError('no anonymous in credentials');
+            }
+            try {
+                const newCredentials: Credentials = await this.request('/auth/v1/signin/anonymously', {
+                    method: 'POST',
+                    withBasicAuth: true,
+                    body: {}
+                });
+                await this._localCredentials.setCredentials(newCredentials);
+                return newCredentials
+            } catch (error) {
+                if (error.error === ErrorType.INVALID_GRANT) {
+                    await this._localCredentials.setCredentials(null);
+                    return this._unAuthenticatedError(error.error_description);
+                }
+                return Promise.reject(error);
+            }
+        });
+    }
+
+    /**
+     * Default refresh token function.
+     * @param {string} refreshToken
+     * @return {Promise<Credentials>}
+     */
+    private _defaultRefreshTokenFunc(
+        refreshToken?: string,
+    ): Promise<Credentials> {
+        if (refreshToken === undefined || refreshToken === '') {
+            return this._unAuthenticatedError('refresh token not found');
+        }
+        return this.request('/auth/v1/token', {
+            method: 'POST',
+            withBasicAuth: true,
+            body: {
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+            },
+        });
+    }
+
+    /**
+     * Get credentials.
+     */
+    private async _getCredentials(): Promise<Credentials> {
+        let credentials: Credentials = await this._localCredentials.getCredentials();
+        if (credentials == null) {
+            return this._unAuthenticatedError("credentials not found")
+        }
+        if (isCredentialsExpired(credentials)) {
+            if (credentials && credentials.scope === 'anonymous') {
+                credentials = await this._anonymousSignIn(credentials)
+            } else {
+                credentials = await this._refreshToken(credentials);
+            }
+        }
+        return credentials;
+    }
+
+    /**
+     * Get deviceId
+     */
+    private async _getDeviceId(): Promise<string> {
+        if (this._deviceID) {
+            return this._deviceID;
+        }
+        let deviceId: string = await this._storage.getItem(
+            DeviceIdSectionName,
+        );
+        if (!(typeof deviceId === 'string' &&
+            deviceId.length >= 16 &&
+            deviceId.length <= 48)) {
+            deviceId = uuidv4();
+            await this._storage.setItem(DeviceIdSectionName, deviceId);
+        }
+        this._deviceID = deviceId;
+        return deviceId;
+    }
+
+    /**
+     * Generate unAuthenticated error.
+     * @param {string} err
+     * @return {Promise<T>}
+     */
+    private _unAuthenticatedError<T>(err?: string): Promise<T> {
+        return Promise.reject({
+            error: ErrorType.UNAUTHENTICATED,
+            error_description: err,
+        } as ResponseError);
+    }
+}

package/src/utils/promise.ts

@@ -0,0 +1,41 @@
+/**
+ * Promise Once
+ */
+export class PromiseOnce {
+    /**
+     * Run Once promise.
+     * @param {string} key
+     * @param {Function} fn
+     * @return {Promise<T>}
+     */
+    async run<T>(key: string, fn: () => Promise<T>): Promise<T> {
+        let result: Promise<any> = this._fnPromiseMap.get(key);
+        if (!result) {
+            result = new Promise<any>(async (resolve, reject) => {
+                try {
+                    // The idle promise must be run to prevent _fnPromiseMap from
+                    // storing the current promise function.
+                    await this._runIdlePromise();
+                    const fnResult: Promise<T> = fn();
+                    resolve(await fnResult);
+                } catch (error) {
+                    reject(error);
+                } finally {
+                    this._fnPromiseMap.delete(key);
+                }
+            });
+            this._fnPromiseMap.set(key, result);
+        }
+        return result;
+    }
+
+    /**
+     * Run idle promise.
+     * @return {Promise<void>}
+     */
+    private _runIdlePromise(): Promise<void> {
+        return Promise.resolve();
+    }
+
+    private _fnPromiseMap: Map<string, Promise<any>> = new Map();
+}

package/src/utils/uuid.ts

@@ -0,0 +1,11 @@
+/**
+ * Generate uuidv4 string.
+ * @return {string}
+ */
+export function uuidv4(): string {
+    return 'xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+        const r = (Math.random() * 16) | 0;
+        const v = c == 'x' ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}